FireWall-1 FAQ: Policy Install Logs Out Client Auth Users

Last Modified: 30 Dec 2003

Please note: This content was from when I was operating my FireWall-1
FAQ site, which I stopped operating in August 2005. For some reason people
still have links to this stuff on the Internet that people are still clicking
on.

I am making this information available again AS IS. Given how
old this information is, it is likely wildly inaccurate. I have no plans to
update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where
this information is still relevant to you, do yourself a favor and upgrade to
a more recent release. If you happen to be running a current release
and the information is useful, it's by happenstance :)

A policy re-install flushes certain tables, of which the client_auth table is one of. You can go into $FWDIR/lib/table.def on the management console and modify the following entry:

client_auth = dynamic sync expires AUTH_TIMEOUT;

A 'keep' needs to be added to the end of this line. It should read:

client_auth = dynamic sync keep expires AUTH_TIMEOUT;

You will need to re-install the security policy from the management console for this to take effect.

The 'keep' (which generally should be added after 'sync') will prevent the client_auth table from being flushed on a policy re-install. The only way to flush this table is to bounce FireWall-1 (fwstop; fwstart).